|
1 This patch was derived from ISC source differences between bind-9.9.8 |
|
2 and bind-9.9.8-P1. |
|
3 |
|
4 diff -u -r bind-9.6-ESV-R11/CHANGES security_fix/CHANGES |
|
5 --- bind-9.6-ESV-R11/CHANGES 2015-11-25 10:51:09.302761399 +0000 |
|
6 +++ security_fix/CHANGES 2015-11-25 11:09:12.099398001 +0000 |
|
7 @@ -1,3 +1,10 @@ |
|
8 + --- 9.6-ESV-R11-P4 released --- |
|
9 + |
|
10 +4260. [security] Insufficient testing when parsing a message allowed |
|
11 + records with an incorrect class to be be accepted, |
|
12 + triggering a REQUIRE failure when those records |
|
13 + were subsequently cached. (CVE-2015-8000) [RT #40987] |
|
14 + |
|
15 --- 9.6-ESV-R11-P3 released --- |
|
16 |
|
17 4168. [security] A buffer accounting error could trigger an |
|
18 diff -u -r bind-9.6-ESV-R11/lib/dns/include/dns/message.h security_fix/lib/dns/include/dns/message.h |
|
19 --- bind-9.6-ESV-R11/lib/dns/include/dns/message.h 2014-01-27 19:00:45.000000000 +0000 |
|
20 +++ security_fix/lib/dns/include/dns/message.h 2015-11-25 10:36:05.092923013 +0000 |
|
21 @@ -15,8 +15,6 @@ |
|
22 * PERFORMANCE OF THIS SOFTWARE. |
|
23 */ |
|
24 |
|
25 -/* $Id$ */ |
|
26 - |
|
27 #ifndef DNS_MESSAGE_H |
|
28 #define DNS_MESSAGE_H 1 |
|
29 |
|
30 @@ -207,6 +205,8 @@ |
|
31 unsigned int verify_attempted : 1; |
|
32 unsigned int free_query : 1; |
|
33 unsigned int free_saved : 1; |
|
34 + unsigned int tkey : 1; |
|
35 + unsigned int rdclass_set : 1; |
|
36 |
|
37 unsigned int opt_reserved; |
|
38 unsigned int sig_reserved; |
|
39 @@ -1363,6 +1363,15 @@ |
|
40 * \li other. |
|
41 */ |
|
42 |
|
43 +void |
|
44 +dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass); |
|
45 +/*%< |
|
46 + * Set the expected class of records in the response. |
|
47 + * |
|
48 + * Requires: |
|
49 + * \li msg be a valid message with parsing intent. |
|
50 + */ |
|
51 + |
|
52 ISC_LANG_ENDDECLS |
|
53 |
|
54 #endif /* DNS_MESSAGE_H */ |
|
55 diff -u -r bind-9.6-ESV-R11/lib/dns/message.c security_fix/lib/dns/message.c |
|
56 --- bind-9.6-ESV-R11/lib/dns/message.c 2014-01-27 19:00:45.000000000 +0000 |
|
57 +++ security_fix/lib/dns/message.c 2015-11-25 10:36:05.089305076 +0000 |
|
58 @@ -436,6 +436,8 @@ |
|
59 m->saved.base = NULL; |
|
60 m->saved.length = 0; |
|
61 m->free_saved = 0; |
|
62 + m->tkey = 0; |
|
63 + m->rdclass_set = 0; |
|
64 m->querytsig = NULL; |
|
65 } |
|
66 |
|
67 @@ -1084,13 +1086,19 @@ |
|
68 * If this class is different than the one we already read, |
|
69 * this is an error. |
|
70 */ |
|
71 - if (msg->state == DNS_SECTION_ANY) { |
|
72 - msg->state = DNS_SECTION_QUESTION; |
|
73 + if (msg->rdclass_set == 0) { |
|
74 msg->rdclass = rdclass; |
|
75 + msg->rdclass_set = 1; |
|
76 } else if (msg->rdclass != rdclass) |
|
77 DO_FORMERR; |
|
78 |
|
79 /* |
|
80 + * Is this a TKEY query? |
|
81 + */ |
|
82 + if (rdtype == dns_rdatatype_tkey) |
|
83 + msg->tkey = 1; |
|
84 + |
|
85 + /* |
|
86 * Can't ask the same question twice. |
|
87 */ |
|
88 result = dns_message_find(name, rdclass, rdtype, 0, NULL); |
|
89 @@ -1234,12 +1242,12 @@ |
|
90 * If there was no question section, we may not yet have |
|
91 * established a class. Do so now. |
|
92 */ |
|
93 - if (msg->state == DNS_SECTION_ANY && |
|
94 + if (msg->rdclass_set == 0 && |
|
95 rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ |
|
96 rdtype != dns_rdatatype_tsig && /* class is ANY */ |
|
97 rdtype != dns_rdatatype_tkey) { /* class is undefined */ |
|
98 msg->rdclass = rdclass; |
|
99 - msg->state = DNS_SECTION_QUESTION; |
|
100 + msg->rdclass_set = 1; |
|
101 } |
|
102 |
|
103 /* |
|
104 @@ -1249,7 +1257,7 @@ |
|
105 if (msg->opcode != dns_opcode_update |
|
106 && rdtype != dns_rdatatype_tsig |
|
107 && rdtype != dns_rdatatype_opt |
|
108 - && rdtype != dns_rdatatype_dnskey /* in a TKEY query */ |
|
109 + && rdtype != dns_rdatatype_key /* in a TKEY query */ |
|
110 && rdtype != dns_rdatatype_sig /* SIG(0) */ |
|
111 && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ |
|
112 && msg->rdclass != dns_rdataclass_any |
|
113 @@ -1257,6 +1265,16 @@ |
|
114 DO_FORMERR; |
|
115 |
|
116 /* |
|
117 + * If this is not a TKEY query/response then the KEY |
|
118 + * record's class needs to match. |
|
119 + */ |
|
120 + if (msg->opcode != dns_opcode_update && !msg->tkey && |
|
121 + rdtype == dns_rdatatype_key && |
|
122 + msg->rdclass != dns_rdataclass_any && |
|
123 + msg->rdclass != rdclass) |
|
124 + DO_FORMERR; |
|
125 + |
|
126 + /* |
|
127 * Special type handling for TSIG, OPT, and TKEY. |
|
128 */ |
|
129 if (rdtype == dns_rdatatype_tsig) { |
|
130 @@ -1370,6 +1388,10 @@ |
|
131 skip_name_search = ISC_TRUE; |
|
132 skip_type_search = ISC_TRUE; |
|
133 issigzero = ISC_TRUE; |
|
134 + } else { |
|
135 + if (msg->rdclass != dns_rdataclass_any && |
|
136 + msg->rdclass != rdclass) |
|
137 + DO_FORMERR; |
|
138 } |
|
139 } else |
|
140 covers = 0; |
|
141 @@ -1608,6 +1630,7 @@ |
|
142 msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source); |
|
143 |
|
144 msg->header_ok = 1; |
|
145 + msg->state = DNS_SECTION_QUESTION; |
|
146 |
|
147 /* |
|
148 * -1 means no EDNS. |
|
149 @@ -3491,3 +3514,15 @@ |
|
150 dns_message_puttemprdatalist(message, &rdatalist); |
|
151 return (result); |
|
152 } |
|
153 + |
|
154 +void |
|
155 +dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) { |
|
156 + |
|
157 + REQUIRE(DNS_MESSAGE_VALID(msg)); |
|
158 + REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); |
|
159 + REQUIRE(msg->state == DNS_SECTION_ANY); |
|
160 + REQUIRE(msg->rdclass_set == 0); |
|
161 + |
|
162 + msg->rdclass = rdclass; |
|
163 + msg->rdclass_set = 1; |
|
164 +} |
|
165 diff -u -r bind-9.6-ESV-R11/lib/dns/resolver.c security_fix/lib/dns/resolver.c |
|
166 --- bind-9.6-ESV-R11/lib/dns/resolver.c 2015-11-25 10:51:09.306905077 +0000 |
|
167 +++ security_fix/lib/dns/resolver.c 2015-11-25 10:48:57.126663153 +0000 |
|
168 @@ -6614,6 +6614,8 @@ |
|
169 goto done; |
|
170 } |
|
171 |
|
172 + dns_message_setclass(message, fctx->res->rdclass); |
|
173 + |
|
174 result = dns_message_parse(message, &devent->buffer, 0); |
|
175 if (result != ISC_R_SUCCESS) { |
|
176 switch (result) { |
|
177 @@ -6686,6 +6690,12 @@ |
|
178 */ |
|
179 log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); |
|
180 |
|
181 + if (message->rdclass != fctx->res->rdclass) { |
|
182 + resend = ISC_TRUE; |
|
183 + FCTXTRACE("bad class"); |
|
184 + goto done; |
|
185 + } |
|
186 + |
|
187 /* |
|
188 * Process receive opt record. |
|
189 */ |
|
190 diff -u -r bind-9.6-ESV-R11/lib/dns/xfrin.c security_fix/lib/dns/xfrin.c |
|
191 --- bind-9.6-ESV-R11/lib/dns/xfrin.c 2014-01-27 19:00:45.000000000 +0000 |
|
192 +++ security_fix/lib/dns/xfrin.c 2015-11-25 10:36:05.092532938 +0000 |
|
193 @@ -1205,6 +1205,8 @@ |
|
194 msg->tsigctx = xfr->tsigctx; |
|
195 xfr->tsigctx = NULL; |
|
196 |
|
197 + dns_message_setclass(msg, xfr->rdclass); |
|
198 + |
|
199 if (xfr->nmsg > 0) |
|
200 msg->tcp_continuation = 1; |
|
201 |
|
202 --- bind-9.6-ESV-R11/version 2015-08-24 00:18:24.000000000 +0000 |
|
203 +++ security_fix/version 2015-11-25 10:36:05.092532938 +0000 |
|
204 @@ -10,4 +10,4 @@ |
|
205 PATCHVER= |
|
206 RELEASETYPE=-ESV |
|
207 RELEASEVER=-R11 |
|
208 -EXTENSIONS=-P3 |
|
209 +EXTENSIONS=-P4 |